Remotely granting access to a smart environment

ABSTRACT

A method and system for providing selective access to appliances by terminals in a smart environment is provided. Each terminal and appliance is assigned a unique identification code (UID). Appliances and terminals wirelessly transmit their UID and receive UIDs transmitted by other appliances and terminals. Upon receiving a terminal&#39;s UID, an appliance queries a database to determine whether the terminal is authorized to control that appliance based on authorization information stored in the database. An owner may be notified if a terminal without authorization attempts to control an appliance or enters the environment. When a previously unauthorized user, local to the environment, desires access to the smart environment while the owner(s) is away from the environment, a request may be securely transmitted to an owner at his or her remote location. The owner may grant access to one or more appliances, and securely transmit the authorization back to the local user. Upon receipt of the authorization, the local user may control the appliance(s).

BACKGROUND OF THE INVENTION

[0001] The present invention relates generally to security. Moreparticularly, the invention relates to a wireless lock and key systemused to selectively prevent individuals from operating appliances when apredetermined set of criteria are met.

[0002] When access to an item, appliance, tool, or the like is to berestricted, generally a physical lock has been used. Locking therestricted item in a room behind a locked door is another known means torestrict access to an item or area. Conventional types of physical locksinclude combination locks and key locks, both commercially available ona widespread basis.

[0003] Combinations locks are well known. Combination locks open onlywhen a user has entered the correct combination code, usually a sequenceof numbers. However, combination locks have many shortcomings. Manycombination locks have the combination set at the factory, and thecombination cannot be changed by the purchaser of the lock. In addition,once a person is given the combination, it cannot be taken away. Thusthe only way to restrict access to an individual who knows thecombination is to physically change the lock, which requiresredistributing the new combination to each of the other prior users ofthe lock other than the restricted individual. Also, because a personcan communicate the correct combination an unlimited number of times,there is potentially an unlimited number of persons who might know thecorrect combination. Once an individual has received the combination,there are no means by which that individual can physically be restrictedfrom communicating the combination to additional individuals.Combination locks also can't notify the owner if used withoutauthorization.

[0004] Key locks are also known in the art. Key locks open only when thecorrect physical key is inserted into the lock and turned, thus openingthe locking mechanism. Key locks, however, also have severaldisadvantages. Physical keys are easily copied, potentially allowingunwanted copies to be created and given to unauthorized individuals.Additionally, if all physical keys for a given lock are lost, alocksmith must be hired to create a replacement key, often at great costto the lock owner. As with combination locks, the owner of the lock isgenerally not notified if the lock is opened by a user withoutauthorization.

[0005] There is a common problem to both key and combination locks inthat access is either all or nothing. That is, an individual either hasaccess to the lock (i.e., has the key or knows the combination) or theydo not. Also, there is no way to differentiate access between users. Allusers who have access have the same access. There is no way, using onlyone lock and key, to provide certain access privileges to a first userand other access privileges to a second user.

[0006] When an individual wants to restrict access to an appliance, suchas a cable control box or controls on a television, conventionalphysical locks have generally been used by constructing a physicalbarrier over the controls, with access restricted by a lock. Morerecently, electronic parental control devices have been developed. Thesesystems generally allow a user, using a handheld remote control device,to input a first code key that allows programs which meet a first set ofpredetermined criteria to be watched, and to input a second code key toallow programs which meet a second set of predetermined criteria to bewatched. In this manner, children can be restricted from watchingprograms deemed not suitable by parents. However, this solution is onlyapplicable to televisions and cable set top boxes. A parent cannot usethese systems to restrict access to other appliances in the household.

[0007] Another known means of restricting access to appliances, againwith respect to televisions, is the use of the V-chip, which is wellknown in the art. The V-chip, however, only restricts access to atelevision, and not to additional appliances such as computers, ovens,stoves, lights, and the like.

[0008] Access to computers has been restricted using specializedsoftware installed on the computer system. However, these softwarepackages also only restrict use of the computer system, and not of otherappliances.

[0009] A lock and key system is needed that restricts access to multipleappliances while providing ease of adaptability by providing differingaccess levels to different users. A system is needed that allows anowner to give other people such as family members, houseguests, etc.,differing rights to use different appliances, gives the owner a methodto control who can use appliances and when they can use them, and givesthe owner immediate notification if an appliance is used against his orher authority.

SUMMARY OF THE INVENTION

[0010] In a first aspect of the invention, there is a method of remotelygranting access to appliances in a smart environment. The methodincludes a set of steps. A controlling terminal receives accessinformation from an appliance. The controlling terminal sends an accessrequest to an administrator terminal, based in part on the accessinformation. The controlling terminal receives access authorization fromthe administrator terminal.

[0011] In some embodiments, the method contains additional steps. Thecontrolling terminal sends the access authorization to the appliance,sends a control command to the appliance, and the appliance performs therequested control command.

[0012] In some embodiments, the method includes the steps of updating acentral database with the access authorization.

[0013] In some embodiments the access information comprises anauthorization template specific to the appliance.

[0014] In some embodiments the access information comprises contactinformation for the administrator terminal.

[0015] In some embodiments, communications between the appliance, thecontrolling terminal, and the administrator terminal use public key,private key encryption.

[0016] In another aspect of the invention, there is a method ofverifying a recipient of a set of access rights using public key,private key encryption. A first terminal hashes data corresponding to adefinition of access rights associated with a second terminal. The firstterminal encrypts the hash and the second terminal's public key, usingthe first terminal's private key. An appliance receives the encryptedhash and public key with the data corresponding to the definition ofaccess rights. The appliance decrypts, using the first terminal's publickey, the received encrypted hash and public key. The decrypted publickey is compared to a trusted copy of the second terminal's public key.The appliances hashes the data and compares the hash with the decryptedhash from the previous steps.

[0017] In another aspect of the invention, there is a method of remotelygranting access to an appliance. An appliance prohibits access by acontrolling terminal. The controlling terminal sends an access requestto an administrator terminal through a network. A server receives anauthorization for access from the administrator terminal. Theauthorization comprises modified access rights for the controllingterminal. A central authorization database in the server is updated withinformation from the modified access rights, and a remote authorizationdatabase in the controlling terminal is synchronized with the centralauthorization database. The authorization information in the remoteauthorization database is sent to the appliance, and the appliancegrants control to the controlling terminal based on the authorizationinformation.

[0018] In another aspect of the invention, there is a method of remotelygranting access to appliances. An appliance prohibits access by acontrolling terminal. The controlling terminal sends an access requestto an administrator terminal through a network. The controlling terminalreceives an authorization for access from the administrator terminal,wherein the authorization comprises access right informationcorresponding to the controlling terminal. The access rights are send tothe appliance. The appliance grants control to the controlling terminal,and the access rights are synchronized with a central authorizationdatabase.

[0019] In some embodiments, communications between the controllingterminal, the administrator terminal, and the appliance use public key,private key encryption.

[0020] In another aspect of the invention, there is a method of remotelygranting access to an appliance. An appliance prohibits access by acontrolling terminal. The controlling terminal sends an access requestto an administrator terminal through a network. A server receives anauthorization for access from the administrator terminal, wherein theauthorization comprises access rights information corresponding to thecontrolling terminal. A central authorization database in the server isupdated with the access rights information. A remote authorizationdatabase is synchronized with the central authorization database.Authorization information in the remote authorization database is sentto the appliance, and the appliance grants control to the controllingterminal based on the authorization information.

[0021] In another aspect of the invention, there is a device for use ina smart environment. The device includes a processing unit, atransceiver, and a memory comprising computer readable instructionsthat, when executed by the processor, cause the device to perform a setof steps. The device sends a first control request to an appliance,receives an authorization template from the appliance, sends anauthorization request to an administrator terminal, receivesauthorization rights from the administrator terminal, and sends a secondcontrol request to the appliance. The second control request comprisesthe received authorization rights and a control command.

[0022] In another aspect of the invention, there is an appliance for usein a smart environment. The appliance includes a transceiver, aprocessing unit, and a memory comprising computer readable instructionsthat, when executed by the processor, cause the appliance to perform aset of steps. The steps include receiving a first control request from acontrol terminal, sending an authorization ticket to the controlterminal, and receiving authorization information from the controlterminal. The authorization information comprises authenticationinformation and a modified authorization ticket comprising authorizationrights. The steps also include using the authentication information toverify that the authorization rights were granted by an administratorterminal to the control terminal, receiving a control command from thecontrol terminal, and when the authorization rights were granted by theadministrator terminal, performing the received control command.

[0023] In some embodiments, verification of the authorization rightsincludes the steps of decrypting an encrypted public key using anadministrator terminal's public key, and comparing the decrypted publickey to a trusted copy of the control terminal's public key.

[0024] In another aspect of the invention, there is a method of grantingaccess rights to a terminal. The method includes the steps of a userterminal receiving a definition of rights from an appliance, the userterminal sending the definition of rights to an administrator terminal,the administrator terminal modifying the definition of rights to includeaccess rights associated with the user terminal, the administratorterminal sending the modified definition of rights to the user terminal,the user terminal sending the modified definition of rights to theappliance, the user terminal sending a control command to the appliance,and the appliance executing the control command.

BRIEF DESCRIPTION OF DRAWINGS

[0025]FIG. 1 shows a smart environment.

[0026]FIG. 2A shows a block diagram of a server.

[0027]FIG. 2B shows a block diagram of a terminal.

[0028]FIG. 2C shows a block diagram of an appliance.

[0029]FIG. 3A shows Unique Identifier (UID) Information.

[0030]FIG. 3B shows a portion of Access Rights Information for the UIDsof FIG. 3A.

[0031]FIG. 3C shows Neighbor UID Information for the UIDs of FIG. 3A.

[0032]FIG. 4 shows a flowchart of a user authorization process to use anappliance.

[0033]FIG. 5 shows a data flow diagram of a first embodiment of theinvention.

[0034]FIG. 6 shows a data flow diagram of a second embodiment of theinvention.

[0035]FIG. 7 shows a ticket definition.

[0036]FIG. 8 shows a flowchart for a user terminal to request access toan appliance.

[0037]FIG. 9 shows a flowchart for an owner terminal to remotely grantaccess to an appliance by a requesting terminal.

[0038]FIG. 10 shows a flowchart for a requesting terminal to receivecontrol rights from an owner terminal, and sending control informationto an appliance.

[0039]FIG. 11 shows a flowchart for an appliance to authenticate controlinformation.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0040] Wireless connections between devices are becoming more and morewidespread. The present invention uses wirelessly connected devices tocreate a smart environment, e.g. homes where the various householdappliances are controlled remotely by one or more controlling terminals.The terminals communicate with and control appliances using a wirelesstechnology such as Bluetooth, wireless LAN, or Home RF. Any wirelesscommunication technology can be used.

[0041] The invention may be embodied in a system that allows the ownerof an environment to control and monitor who is using and when eachperson can use each appliance. The inventive system may also notify theowner whenever someone who does not have rights to use the applianceswithin the environment attempts to use one or more of the appliances, oroptionally when a user without access rights enters the environment. Thenotification may be sent by a short message service (SMS), email, directnetwork access, instant message, alphanumeric pager, WAP (wirelessapplication protocol) service, or the like.

[0042] In a smart environment, an environment owner is often concernedthat the environment can only be controlled by those that are trustedand have been given authority by the owner. The “owner” of theenvironment is a person that has administrative rights to theenvironment. This may be the actual owner or anybody he or she hasauthorized to act as an administrator. The owner(s) can limit the accessrights and times of each user to each appliance.

[0043] Throughout this specification, the term “appliance” is used torefer to any item controlled or operated by a user, generally using aterminal (but not required, as discussed below). Examples of appliancesinclude, but are not limited to, televisions, video cassette recordersand players, DVD players, conventional ovens, microwave ovens, kitchenappliances, lighting systems, heating systems, air conditioning systems,garage door openers, lawn sprinkler systems, stereo equipment, cabletelevision boxes, video game consoles, computers, and the like. A userusing a controller terminal can control each appliance for which theuser has the proper access rights. Throughout this specification, theterms “controller” and “terminal” are used interchangeably to describe awireless-enabled device that is used to operate or control appliances.The terminal may be a computer system, palm-top computer, personaldigital assistant, mobile phone, or any other device with wirelesscommunication capabilities.

[0044] With reference to FIGS. 1-3, a smart environment 100 may comprisea central server 103, appliances 105 a-105 e, and wireless controllerterminals 107 a-107 e. Additional appliances and terminals may easily beadded. The number of terminals or appliances in an environment islimited only by physical space. Appliances may communicate with server103 using the wireless communication technology used throughout theenvironment, or via conventional network cabling. Unless terminals aredocked in a docking station (not shown) connected to the server,terminals generally communicate with the server via wirelesscommunications.

[0045] The server 103 is comprised of a processor 121, volatile memory123, and nonvolatile memory 125. A database 109 is stored within thenonvolatile memory of server 103. In another variation, a third partyprovides the server functions, including storage of the database 109,over a network such as the Internet. It is further possible that thedatabase is stored in one or more mobile terminal(s). A terminal inwhich the database is stored is referred to herein as a databaseterminal. When the database is stored in a mobile terminal, the otherappliances and terminals generally must have a connection to theterminal in which the database is stored. The connection may be by anycommunication means, such as WLAN, Bluetooth, GSM via short messageservice (SMS), or the like. Storing the database in a terminal providesadditional security because, if the terminal is removed from theenvironment, the appliances may become useless.

[0046] Authorization information is stored in the database and comprisesunique identifier (UID) information 129 and access rights information127, as described below. Optionally (shown in FIG. 3C), neighbor UIDinformation may be included in the database as well. Applicationsoftware 131, including an optional user interface for modifying accessrights information and UID information, may also be stored innon-volatile memory 125.

[0047] Each terminal 107 has a wireless transceiver 226, a processor227, and a memory 229. The transceiver is used for sending and receivinginformation such as UIDs and control information. The processor 227 isused for executing computer readable instructions 235 stored in memory229. The memory also stores the terminal's UID 231, applianceinformation 233, and optionally, authorization database 109.

[0048] Each appliance 105 has a wireless transceiver 252, a processor254, and a memory 256. The transceiver is used for sending and receivinginformation such as UIDs and control information. The processor 254 isused for executing computer readable instructions 260 stored in memory256. The memory also stores the appliance's UID 258 and, optionally,authorization database 109.

[0049] Each wireless terminal and appliance is assigned a uniqueidentification code (UID), which may comprise the Media Access Control(MAC) address for each wirelessly networked device. The UIDs are storedin database 109, optionally along with each UID's group access level(e.g., owner, administrator, family member, friend, employee, visitor,etc.). A UID information table is shown in FIG. 3A. In FIG. 3A, theterminals with UIDs 1123 and 1124 are owner terminals. The terminal withUID 0220 belongs to a child J. Smith, Jr. in the group “Family Member,”and the terminal with UID 0230 belongs to R. Jones in the group“Friend.” Other UIDs belonging to appliances are also shown.

[0050] The UIDs of any terminal and appliance may be automaticallyexchanged according to network protocols when they are within wirelesscommunication range. The appliance may use the UID for a query ofdatabase 103 in order to determine whether the terminal has rights tocommand that appliance. The terminal may use the UID to load informationregarding how to control the appliance being accessed by the terminal.

[0051] Appliances generally have a second user interface, in addition tothe terminal interface, so they can be controlled physically as well asthrough the terminals. For example, a coffee machine may include anon/off switch so that a user may just flip the switch to turn the coffeemachine on when no terminal is present. In some aspects of theinvention, physical controls are disabled when it is determined that auser's terminal does not have authority to access the appliance, or whenno terminal is present.

[0052] Each appliance may be associated with access rights for specifiedterminals. The access rights information 127 is stored in database 109,and may be modified via a user interface with the database over acomputer network, such as the Internet. A sample access rightsinformation table is shown in FIG. 3B. The owner may provide differingaccess rights for different appliances and/or terminals under differentsets of predetermined criteria. Access rights may be terminal based,time based, or both. Terminal based access rights are rights whereinspecified terminals can always access the appliance, and other terminalscan never access the appliance. Time based access rights are rightswherein terminals may only access the appliance during predeterminedtimes, and at all other times are restricted from accessing orcontrolling the appliance. Terminal and time based access rights arerights wherein each terminal is provided a predetermined range of timethat it may access or control a specified appliance.

[0053] For example, as shown in FIG. 3B, in a smart environment within ahome, one user's (owner terminal with UID 1123) terminal may have accessrights to the television and oven at all times. However, a second user's(Family terminal with UID 0220, for instance, a child) terminal may haveaccess rights to the television only from 7:00 pm-9:00 pm on Mondaythrough Friday and from 7:00 am-9:00 pm on weekends, and have no accessto the oven. A third user's (Friend terminal with UID 0230, forinstance, a babysitter) terminal might have access to the televisiononly from 9:00 am-8:00 pm regardless of the day of the week, and have noaccess to the oven. As shown in FIG. 3B, access rights may beterminal-specific or group-specific. For instance, any terminal in theOwner, Family Member, or Friend group will have the same access to thetelevision as every other terminal in their respective group. However,each terminal is given specific access to the oven. Thus, one familymember (for instance, an older child, not shown) may have access to theoven while a second family member (a younger child, shown) may not haveany access to the oven. It is also possible to further base accessrights by week, month, etc, such that access rights could vary by weeksof the month, months of the year, etc.

[0054] It is also possible that some appliances may be set to have noaccess restrictions, but rather the only requirement is that a terminalbe present for the appliance to be used or controlled. For instance, asshown in FIG. 3B, an owner may give all users the right to switch thelights on or off. In these cases there is no need to determine whetherthe terminal has authorization, or even if it is known. It is enoughthat the terminal is in the environment, and so it will have the rightto switch the lights on or off. Optionally, the appliance may query thedatabase to determine whether the terminal at least has access rightswithin the environment before allowing the user to control theappliance.

[0055] When an appliance is added to an environment, the appliance isbranded to that environment That is, the appliance records the identityof its environment so that it can differentiate its own environment fromother environments. This allows the appliance to determine whether it ishas been moved to a different environment. The identity of theenvironment may be established by recording UIDs transmitted byappliances near the new appliance (neighbor appliances). For example,appliance 105 e (oven) knows that it is near appliances 105 a (answeringmachine) and 105 c (scanner). Each appliance may store its own neighborinformation into a flash-memory, which can only be cleared by a terminalwith authority to so (owner terminal or special maintenance device). Theneighbor UID information may also be stored collectively in database109, a sample of which is shown in FIG. 3C.

[0056] After branding, only an owner can move the appliance out of theenvironment, or the appliance may not function. Optionally, even withinthe environment the appliance cannot be moved, except by the owner. Theappliance may determine that it has been removed from its environment bydetermining that different neighbor appliances are surrounding it. Inobserving its wireless surroundings, an appliance may infer that it hasbeen stolen if the surroundings dramatically change (e.g., more than twodifferent neighbor appliances are detected than expected). If anappliance is stolen or otherwise taken from its own environment, it mayoptionally lock itself and refuse to operate until unlocked. In thatevent, generally an owner key may be required to unlock the appliance.The appliance may also attempt to contact its owner (not the owner ofthe environment in which it is now located) in order to notify the ownerthat it has been removed from its environment.

[0057] In an embodiment using a database terminal, a secure link betweenthe database terminal and the appliance is created when adding a newappliance to the environment. This allows the appliance to securelydetermine whether the controlling terminal has rights, i.e., that thecontrolling terminal is a trusted database terminal. Putting thedatabase terminal and the appliance physically close to each creates thesecure link. The appliance and the database terminal exchange theirpublic keys or other encryption data Thereafter the appliance andterminal will listen and communicate only to each other, such that theappliance can be safely added to the environment.

[0058] In network topographies where the database is stored in a centralserver or in another location, a mobile terminal, e.g., an ownerterminal, and the newly added appliance are similarly branded as whenthe database is stored in the mobile terminal. That is, the ownerterminal and the appliance establish a secure link as in the aboveexample. The terminal, however, also establishes a secure link with thedatabase. The secure link may be created by putting the terminal and theserver physically close to each other. That is, a mobile terminalestablishes a secure link with a newly added appliance, and the samemobile terminal also establishes a secure link with the database server.In such a scenario the branding of the appliance to the environment is atwo-step procedure, where the terminal, as a trusted introducer, is usedby the server and the appliance to establish a secure link. First, theterminal exchanges public keys with the appliance, and also exchangesthe public key of the database with the appliance. The terminal then isbrought near the database, and exchanges public keys with the database,as well as the public key of the appliance with the database. After thisexchange, the appliance will not trust another terminal as an introducerunless the appliance is reset via a maintenance procedure.

[0059] With reference to FIG. 4, when a user wants to control anappliance, the appliance authenticates the terminal as an authorizedterminal to control that appliance. The UID of the controller terminalis used as a key to the appliance. Appliances continuously listen forterminal UIDs in steps 201 and 203. Upon receiving a UID, the appliancequeries the database 109 in step 205 to determine the UID's group. Ifthe UID belongs to an owner terminal, as determined in step 207, theappliance grants control to the terminal in step 209, as ownerterminal(s) have complete access to all appliances at all times. If theUID is not an owner, the appliance queries the database for the UID'saccess rights for that specific appliance and within the environment asa whole, in step 211. If the UID has access rights to the appliance atthe present date and time, the appliance grants control to the terminalin step 209. If the UID does not have access rights, the appliancedetermines whether the terminal has any access rights within theenvironment, in step 215. If the terminal does not have any accessrights within the environment, the appliance attempts to alert the ownerthat an unauthorized terminal is in the environment, in step 217. Thismay be accomplished by sending a message via email, SMS, wireless pager,or the like. If the UID does have access rights within the environment,however, the appliance may simply ignore the terminal and continue tolisten for another UID. Optionally (not shown), the server may performsteps 215 and 217 after it has received the UID from the appliance instep 205.

[0060] In one embodiment, an owner terminal may be used to grant orchange other terminals' access rights. These other terminals can havedifferent levels of access, as discussed above. To authorize a newterminal, both a terminal with administrative privileges (i.e., anowner) and the terminal to which the access rights are to be given arein close proximity to each other when the database is updated. Thisprovides an additional level of security by ensuring that onlyauthorized persons can give access rights to terminals. The UID codesbetween the terminals are exchanged over a short-range link. Additionalsecurity measures such as passwords can also be utilized in theauthorization process. In another embodiment, the terminals do not needto be physically close to each other, but rather the database can beupdated with the new information.

[0061] In some aspects of the invention, regardless of the wirelessimplementation, the terminals and appliances continuously transmit theirUIDs and listen for other UIDs. This allows the terminals and appliancesto automatically “hear” each other when they are near each other. TheUIDs allow listening devices to determine whether it has previousknowledge about the other nearby device(s), and react accordingly. Forinstance, when a terminal receives a UID, the terminal uses the UID todetermine whether the terminal has information regarding how to controlthe appliance.

[0062] The central server in the smart environment polls the appliances.This can be performed continuously, hourly, daily, etc. When the serverdetermines that an appliance is missing from the network (i.e. it is notresponding when it should be), the server may automatically notify theowner controller or, optionally, all controllers.

[0063] Using the invention, keys (UIDs) can easily be revoked ormodified by reprogramming or resetting the information in the terminaland/or database. Also, keys may easily be set to have different accesslevels, as described above. The key may be a built in function inexisting terminals, such that new wireless hardware is not required topractice the invention. However, one can easily envision a specializedterminal for use with the invention that, at a minimum, stores keyinformation and can perform short-range wireless communications.

[0064] An owner or administrator can also use the system of the presentinvention as a child lock for selected appliances. For example, thesystem may be used to prevent a child from turning on an oven (or otherappliance) without explicit permission from the parent. That is, if thechild tries to turn on the oven, the oven would not respond because itwould only hear the child's key (which, in this example, does not haveauthority to use the oven). However, if the parent enters the kitchenand the oven detects the parent by receiving the parent's key, the ovencould then be turned on (because the parent's key has authority to usethe oven). In one aspect of the invention, the oven (or other appliance)would switch off once the authorized key went out of range unless anauthorization switch was activated on the oven (or other appliance forwhich protection is sought) while it was under the parent'sauthorization. Similar protection schemes can easily be envisioned usingthe inventive system. In another aspect, the oven (or other appliance)would remain on even after the authorized key went out of range.

[0065] In one aspect of the invention, the appliances report informationto the database regarding when the appliance was used, by whom theappliance was used, and for what purpose the appliance was used. Someappliances, for example a coffee maker, may only report when and whoused the appliance (as the only purpose is to make coffee). However,other appliances, such as televisions, cable television control boxes,computers, and the like, may also report programs watched, games played,applications executed, websites visited, and the like. This allowsowners (such as parents) to determine how the appliances are used, andrefine access rights based on the reporting information.

[0066] Using a smart environment as described above, it is possible toremotely apply for and admit access to a user who does not presentlyhave access rights within the environment. That is, if the ownerterminal is not physically present in the environment, and a newterminal needs to be granted access rights, the new terminal may applyfor access rights to and receive access rights from a remote ownerterminal.

[0067] In one embodiment, with reference to the ordered data flowdiagram in FIG. 5, the authorization database 109 is stored on a networkserver 103 (optionally located outside the smart environment, as shown)and synchronized with a terminal 501. The new terminal attempts tocontrol an appliance 503 by transmitting its UID to the appliance. Theappliance, not recognizing the UID, rejects the control request becausethe new terminal does not have access to the appliance. The appliancemay reply with the IP address, telephone number, or other similaraddress of the owner terminal from which authorization can be requested.The new terminal 501 then requests authorization rights from the ownerterminal 507 via IP packet request, data channel in a mobiletelecommunications network, or the like. When the owner terminal 507, asshown, is physically located remotely from the smart environment inwhich the appliance is located, the request is sent through a network505, such as the Internet, to the owner terminal. The request, when sentvia a mobile telecommunications network, will prompt the owner on his orher mobile telecommunications device. The owner may choose whether ornot to grant access to the requesting terminal and, if so, during whatdays and/or times the terminal may have access.

[0068] The owner terminal, having received the request and acorresponding response from the user, sends the updated authorizationrights to the database 109 in the server 103. The server then updatesthe terminal's copy of the database by synchronizing the terminal's copywith the server's updated copy. After the new terminal's database issynchronized, it will also contain the new authorization rights. Now newterminal 501 can successfully control the appliance 503. In someembodiments, the appliance's copy of the database may also beupdated/synchronized before the terminal can control the appliance. Theterminal may have rights to update the appliance's copy of the DB,depending on the rights granted by the owner from the owner terminal.

[0069] In another embodiment, with reference to FIG. 6, theauthorization database is stored in a terminal, and may be copied to anetwork server. Changes to the database can be made directly to aterminal's copy of the database. The terminal and server copies of thedatabase are synchronized each time any changes are made in eitherlocation. The new terminal 501 attempts to control the appliance 503 bytransmitting its UID to the appliance. The appliance, not recognizingthe UID, rejects the control request because the new terminal does nothave access to the appliance. The new terminal then requestsauthorization rights from the owner terminal 507, based on contactinformation returned by the appliance. When the owner terminal 507, asshown, is physically located remotely from the smart environment inwhich the appliance is located, the request is sent through a network505, such as the Internet, to the owner terminal. The owner terminal,having received the request, sends updated authorization rights to thenew terminal's copy of the database. The updated authorization rightsmay allow for the new terminal to control the requested appliance,optionally only at predetermined days and/or times. The new terminalthen synchronizes its updated database with the copy of the database 109stored in the network server 103. The new terminal 501 may now controlthe appliance 503. Optionally, a copy of the database stored in theappliance is updated before the terminal can control the appliance.

[0070] It should be appreciated that other configuration are possible,in addition to those configurations shown in FIGS. 5 and 6. Forinstance, there may be no network copy of the database, and the databasemay be synchronized between devices and appliances. That is, all accessrights may be stored on terminals, and each time the terminal attemptsto control an appliance, the terminal sends its access rights to theappliance, as further described below. Alternatively, the database mayonly be located at a network location and not in individual appliancesor terminals.

[0071] The rights granted to the new terminal by the remote ownerterminal may be fixed or temporary. For instance, while an owner is onvacation, away from his or her smart environment, the owner may need togrant access to the smart environment to a friend who offered to waterthe plants. If the owner forgets to grant access before he or sheleaves, the friend can still request access from the remote owner whenthe friend gets to the smart environment and realizes that he or she hasno key. The remote owner may then grant temporary rights to the smartenvironment by granting access rights to the friend to allow the friendto enter the environment without triggering an alarm or othernotification event. The rights granted by the owner may be permanent ortemporary, depending on the days and/or times when the owner grantspermission to the friend to access the environment.

[0072] With reference to FIG. 7, the authorization information providedby the remote owner terminal may include the appliance or object UID,the Function ID, the validity period of the rights, and the level ofrights granted. The level of rights is used when an appliance hasmultiple levels of access for a single function. For instance, in atelevision, a function may be ‘changing channels’ while the level ofrights may specify which channels the user is authorized to change thechannel to. As another example, where the appliance is an electronicallycontrolled door, the Feature ID may correspond to the feature of openingthe door, while the level of rights may further specify the days andtime during which the newly admitted terminal may open the door (such asonly during regular business hours). The validity period typicallyspecifies a date on which the granted rights expire, or a number of daysduring which the rights are valid.

[0073] Because the remote user granting authority and the local userreceiving authority may be communicating over various networks, securityprecautions may be used to ensure secure communications. In oneembodiment, public-private key encryption is used in conjunction withknown hashing techniques to provide secure communications. In otherembodiments, other forms of encryption or privacy technology may beused, as are known in the art and provide secure communications betweenthe local and remote users.

[0074] With reference to FIGS. 8-11, a method for applying for andremotely granting control rights will now be explained. FIG. 8 shows aportion of the method performed when a terminal initially attempts tocontrol an appliance without proper authorization. In step 301, arequesting terminal (RT) attempts to control an appliance for which theterminal does not have authorization. In step 303, after the appliancereceives a control request from the requesting terminal, the appliancemay determine that the requesting terminal does not have properauthorization based on information in database 109, or some othersource. In response to the control request, the appliance may send tothe requesting terminal a ticket definition, an owner terminal's (OT)public key, and the owner terminal's corresponding address. The ticketdefinition may include formatting for information specific to thatappliance, such as an identification of various functions of theappliance and the rights levels associated with each function. Ticketdefinitions may vary from appliance to appliance because each appliancemay have different functions and levels of rights for each function. TheOT address may be a network address, telephone number, or any otherdestination identifying attribute to which information may be sent.

[0075] In some embodiments, hashing may be used to provide additionalsecurity. Hashing, generally, is the process of deriving a shorteralphanumeric string of text (a hash) from a longer alphanumeric stringof text (the input). A hashing algorithm is generally designed togenerate a hash with a very low probability that hashing two differenttext strings will generate an identical hash value. A sending devicegenerates a hash of a message to be sent, encrypts the hash and themessage itself, then transmits both to the receiving unit. The receivingdevice decrypts the message and the hash, and then produces another hashfrom the decrypted message. By comparing the two hashes, the receivingunit can determine with relatively high probability whether the data wasaltered in transit. That is, if the two hashes are identical, it is veryunlikely that an intruder modified the message in transit.

[0076] In step 305, the requesting terminal may hash the ticketdefinition as a signature for a transmission to the owner terminal, andencrypt the hash using the requesting terminal's private key. In step307, the ticket definition, the encrypted hash of the ticket definition,the requesting terminal's public key, and the RT's certificate authority(CA) certificate may then be packaged and encrypted using the ownerterminal's public key. The requesting terminal may send the controlrequest package to the owner terminal in step 309.

[0077]FIG. 9 shows a portion of the method that is performed by an ownerterminal after having received a control request package from arequesting terminal. In step 311, the owner terminal receives thecontrol request package from the requesting terminal. The owner terminalmay decrypts the package using its private key. After decryption, instep 313, the owner terminal may authenticate that the requestingterminal's public key is authentic using the enclosed CA certificate. Instep 315, the owner terminal may identify the requesting terminal. Thismay be performed by hashing the received ticket definition, decryptingthe received hashed ticket definition using RT's public key, andcomparing the two hashes. If the two hashes are the same, then therequesting terminal has been successfully identified.

[0078] After authentication and identification of the requestingterminal, the owner's terminal may grant access privileges to therequesting terminal in step 317. The granting terminal may do this bymodifying the information contained in the ticket definition with new ordifferent access privileges. In step 319, the owner terminal may hashthe modified ticket definition and package the hash with a copy of RT'spublic key. The encrypted hash may be used as a signature to verify therights sent back to RT. In step 321, the owner terminal may encrypt thepackage containing the requesting terminal's public key and the hashusing the owner terminal's private key. This package may be used laterto ensure that only the identified requesting terminal can use therights granted in the ticket definition, and also to verify those rightsgranted to RT.

[0079] The owner terminal, in step 323, packages in a control rightspackage, the modified ticket definition and the encrypted packagecontaining RT's public key and the hash of the modified ticketdefinition. The control right package may also be encrypted using RT'spublic key. In step 325, the control rights package may be transmittedback to the requesting terminal via one or more communications networksor directly from OT to RT.

[0080]FIG. 10 shows a portion of the method as performed by a requestingterminal after receiving a control rights package from an ownerterminal. In step 327, the requesting terminal receives and decrypts thecontrol rights package using its private key. Optionally (not shown),when the requesting terminal includes a display, the user may view theaccess granted by the owner. Separately, in step 329, the requestingterminal receives and prepares a control command. The control commandmay be from a user of the requesting terminal or from some other sourcecontrolling the terminal. The control command may be hashed, and thehash encrypted using RT's private key. This encrypted hash may be usedas a signature for a control package to be sent to an appliance. In step321, the requesting terminal prepares a control package to send to anappliance. The control package contains identification, authorization,and control information for use by the appliance. The requestingterminal may assemble in the control package, the control command, theencrypted hash of the control command, the modified ticket definition,and the encrypted copy of the hash and RT's public key (from step 321)as received from OT. The entire control package may then be encryptedusing the appliance's public key. In step 333, the requesting terminalmay send the control package to the appliance for which access rightswere granted by OT.

[0081]FIG. 11 shows a portion of the method as performed by an applianceafter receiving a control package from a terminal. In step 335, theappliance receives and decrypts (using the appliance's private key) thecontrol package received from the requesting terminal. After decryptingthe message, the appliance may perform a data integrity check based onthe control command in steps 337 and 339. The appliance may hash thereceived control command in step 337, and decrypt (using RT's publickey) the encrypted hash of the control command received from RT, in step339. The appliance compares the two hashes in step 341. If the twohashes are the same, then the data integrity check is successful, andthe controlling terminal is identified as RT in step 343. If the hashesare not the same, then the control process may terminate, optionallyinforming the terminal why the control command was not accepted (namely,because there is a data integrity error or the controlling terminalcould not be identified).

[0082] In step 345, the appliance may decrypt the package containing theencrypted public key and hash (from step 321) using OT's public key. Theappliance may then, in steps 347 and 349, compare the decrypted publickey with a known or verified copy of RT's public key. If the keys arethe same, then control is passed to step 351. In step 351, the ticketdefinition presented by RT is verified to be authentic because OT'spublic key was successfully used to decrypt RT's public key. That is,the appliance determines that the rights granted in the ticketdefinition were in fact granted to RT because if the decrypted publickey did not match RT's public key, then the rights were not in factgranted to RT. If the keys are not the same, then the control processmay terminate, optionally informing the terminal why the command was notaccepted (namely, because the terminal granting rights to RT could notbe authenticated/verified).

[0083] Ins step 353, the appliance compares the decrypted hash(decrypted in step 345, above) to a hash of the received ticketdefinition that is created by the appliance. This is performed to verifythat the rights presented by the requesting terminal are the same rightsas those granted by the owner terminal. If the two hashes are the same,then in step 355 the rights are verified to be the same as those rightsoriginally granted by the owner terminal, and control passes to step357. If the hashes are not the same, then the control process mayterminate, optionally informing the terminal why the command was notaccepted (namely, because the ticket definition has been modifiedwithout authorization).

[0084] Having verified the rights were granted to RT, the identity ofRT, and that the rights presented by RT are the same rights granted byOT, the appliance may execute the control command in step 357.

[0085] In some embodiments, an appliance may maintain a list of terminalIDs that have been recently removed but the access rights have not beenupdated to the authentication database in the terminal or in thenetwork, depending on where the database is stored. That is, when rightsgranted in a ticket definition expire, the terminal whose rights expiredmay be added to a “blacklist” until such time as the expired rights areupdated in the database. Also, just as an owner terminal may grantadditional rights, and owner terminal may modify a ticket definition soas to reduce or eliminate a requesting terminal's rights. In such ascase where the rights are terminated altogether, an appliance receivingsuch a ticket definition may add the terminal to a blacklist until therights are revoked in the central database. A terminal may be added tothe blacklist locally or remotely.

[0086] Wherever the above description refers to method steps, the methodsteps may be encoded in computer readable instructions stored in amemory, such that when the computer readable instructions are executedby a processor, they cause the device in which the processor is locatedto perform the method steps.

[0087] While the invention has been described with respect to specificexamples including presently preferred modes of carrying out theinvention, those skilled in the art will appreciate that there arenumerous variations and permutations of the above described systems andtechniques that fall within the spirit and scope of the invention as setforth in the appended claims.

What is claimed is:
 1. A method of remotely granting access toappliances in a smart environment, comprising the steps of: (i) acontrolling terminal receiving access information from an appliance;(ii) the controlling terminal sending an access request to anadministrator terminal, based in part on the access information; and(iii) the controlling terminal receiving access authorization from theadministrator terminal.
 2. The method of step 1, further comprising thesteps of: (iv) the controlling terminal sending the access authorizationto the appliance; (v) the controlling terminal sending a control commandto the appliance; and (vi) the appliance performing the requestedcontrol command.
 3. The method of step 1, further comprising the step ofupdating a central database with the access authorization.
 4. The methodof step 1, wherein the access information comprises an authorizationtemplate specific to the appliance.
 5. The method of step 1, wherein theaccess information comprises contact information for the administratorterminal.
 6. The method of claim 1, wherein communications between saidappliance, said controlling terminal, and said administrator terminaluse public key, private key encryption.
 7. A method of verifying arecipient of a set of access rights using public key, private keyencryption, comprising the steps of: (i) a first terminal hashing datacorresponding to a definition of access rights associated with a secondterminal; (ii) the first terminal encrypting the hash created in step(i) and the second terminal's public key, using the first terminal'sprivate key; (iii) an appliance receiving the encrypted hash and publickey with the data corresponding to the definition of access rights; (iv)the appliance decrypting, using the first terminal's public key, thereceived encrypted hash and public key; (v) comparing the decryptedpublic key to a trusted copy of the second terminal's public key, and(vi) the appliance hashing the data; and (vii) comparing the hash ofstep (vi) with the decrypted hash of step (iv).
 8. A method of remotelygranting access to an appliance, comprising the steps of: (i)prohibiting access to an appliance by a controlling terminal; (ii)sending an access request originating from the controlling terminal toan administrator terminal through a network; (iii) a server receiving anauthorization for access from said administrator terminal, wherein saidauthorization comprises modified access rights for the controllingterminal; (iv) updating a central authorization database in the serverwith information from said modified access rights; (v) synchronizing aremote authorization database in the controlling terminal with thecentral authorization database; (vi) sending authorization informationin the remote authorization database to the appliance; and (vii)granting control of the appliance by the controlling terminal based onthe authorization information.
 9. A method of remotely granting accessto appliances, comprising the steps of: (i) prohibiting access to anappliance by a controlling terminal; (ii) the controlling terminalsending an access request to an administrator terminal through anetwork; (iii) the controlling terminal receiving an authorization foraccess from the administrator terminal, wherein the authorizationcomprises access right information corresponding to the controllingterminal; (iv) sending the access rights to the appliance; (v) grantingcontrol of the appliance to the controlling terminal; and (vi)synchronizing the access rights with a central authorization database.10. The method of claim 9, wherein communications between thecontrolling terminal, the administrator terminal, and the appliance usepublic key, private key encryption.
 11. A method of remotely grantingaccess to an appliance, comprising the steps of: (i) prohibiting accessto an appliance by a controlling terminal; (ii) the controlling terminalsending an access request to an administrator terminal through anetwork; (iii) a server receiving an authorization for access from saidadministrator terminal, wherein said authorization comprises accessrights information corresponding to the controlling terminal; (iv)updating a central authorization database in the server with the accessrights information; (v) synchronizing a remote authorization databasewith the central authorization database; (vi) sending authorizationinformation in the remote authorization database to the appliance; and(vii) granting the controlling terminal control of the appliance basedon the authorization information.
 12. The method of claim 11, whereincommunications between the controlling terminal, administrator terminal,and appliance use public key, private key encryption.
 13. A device foruse in a smart environment, comprising: a processing unit; atransceiver; a memory comprising computer readable instructions that,when executed by the processor, cause the device to perform the stepsof: (i) sending a first control request to an appliance; (ii) receivingan authorization template from the appliance; (iii) sending anauthorization request to an administrator terminal; (iv) receivingauthorization rights from the administrator terminal; (v) sending asecond control request to the appliance, wherein the second controlrequest comprises the received authorization rights and a controlcommand.
 14. The device of claim 13, wherein communications between thedevice and the appliance and the administrator terminal use public key,private key encryption.
 15. An appliance for use in a smart environment,comprising: a transceiver; a processing unit; a memory comprisingcomputer readable instructions that, when executed by the processor,cause the appliance to perform the steps of: (i) receiving a firstcontrol request from a control terminal; (ii) sending an authorizationticket to the control terminal; (iii) receiving authorizationinformation from the control terminal, wherein the authorizationinformation comprises authentication information and a modifiedauthorization ticket comprising authorization rights; (iv) using theauthentication information to verify that the authorization rights weregranted by an administrator terminal to the control terminal; (v)receiving a control command from the control terminal; and (vi) when theauthorization rights were granted by the administrator terminal,performing the received control command.
 16. The appliance of claim 15,wherein communications between the appliance and the control terminaluse public key, private key encryption.
 17. The appliance of claim 15,wherein step (iv) comprises the steps of: a. decrypting an encryptedpublic key, using an administrator terminal's public key, and b.comparing the decrypted public key to a trusted copy of the controlterminal's public key.
 18. A method of granting access rights to aterminal, comprising the steps of: (i) a user terminal receiving adefinition of rights from an appliance; (ii) the user terminal sendingthe definition of rights to an administrator terminal; (iii) theadministrator terminal modifying the definition of rights to includeaccess rights associated with the user terminal; (iv) the administratorterminal sending the modified definition of rights to the user terminal;(v) the user terminal sending the modified definition of rights to theappliance; (vi) the user terminal sending a control command to theappliance; and (vii) the appliance executing the control command. 19.The method of claim 18, wherein the communications between theadministrator terminal, the user terminal, and the appliance use publickey, private key encryption.